Skip to content

Commit

Permalink
sanitize delete function
Browse files Browse the repository at this point in the history
  • Loading branch information
patrickhener committed Dec 6, 2023
1 parent 4a28f6d commit ffe8319
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
8 changes: 7 additions & 1 deletion httpserver/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,13 @@ func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
upath = path.Clean(upath)
upath = filepath.Clean(upath)

deletePath := filepath.Join(fs.Webroot, upath)
fileCleaned, _ := url.QueryUnescape(upath)
if strings.Contains(fileCleaned, "..") {
w.WriteHeader(500)
w.Write([]byte("Cannot delete file"))
}

deletePath := filepath.Join(fs.Webroot, fileCleaned)

err := os.RemoveAll(deletePath)
if err != nil {
Expand Down
7 changes: 5 additions & 2 deletions httpserver/updown.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,12 @@ func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) {
}

// Write file to disk 16MB at a time
buffer := make([]byte, 1 << 24)
buffer := make([]byte, 1<<24)

osFile, err := os.OpenFile(savepath, os.O_WRONLY | os.O_CREATE, os.ModePerm)
osFile, err := os.OpenFile(savepath, os.O_WRONLY|os.O_CREATE, os.ModePerm)
if err != nil {
logger.Warnf("Error opening file: %+v", err)
}
defer osFile.Close()

for {
Expand Down

0 comments on commit ffe8319

Please sign in to comment.